When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.
In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication
Solution
The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.
Make Internet Explorer Accept Your Certification Authority
Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.
1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.
2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.
3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.
4. Restart the browser and try again.
Set IIS to serve Certificate Services Securely (via https).
This assumes you have your CA and the web portal installed correctly.
1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.
Note: If https is missing simply add it!
2. Expand Default Web Site > Certsrv > SSL Settings.
3. Tick ‘Require SSL’ > Apply.
4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.
Related Articles, References, Credits, or External Links
When connected to the Web Enrolment portal (Certsrv) for your Certificate Services, you attempt to submit a certificate request. But you only see User and Basic EFS under Certificate Templates, like so;
Solution
I’ve done this myself many times, usually you are looking for the ‘Web Server‘ template and it’s not there, so we will use that as an example. Go to your CA Server.
Administrative Tools > Certificate Services > Certificate template’s > Firstly make sure the template you are looking for is actually published! (i.e. is in the right hand window). Assuming it’s published, right click Certificate Templates > Manage.
Locate the template in question, Properties > Security > Grant the USER you are logged in, and attempting to submit the certificate request as, the READ and ENROL rights > Apply > OK.
Restart certificate services.
Allow a little time for Active directory replication, then try again.
Related Articles, References, Credits, or External Links
I seem to get all the PKI/Certificate services problems! Yesterday I was trying to use the web enrolment portal on a certificate services server, and could not get in locally, (or remotely) via http, (or https) it simply showed me a 403.14 error.
HTTP Error 403.14 Forbidden
Solution
This was an odd one, in IIS Manager select the ‘Certsrv’ virtual directory > Advanced Options > And look at the ‘Path’.
Mine was missing the ‘en-us‘ folder from the end of the path!
Note: You will need to open an administrative command window, and then execute an iisreset command, before the change will take effect.
Related Articles, References, Credits, or External Links
I spun up a new Certificate Services server on my test network today, because I needed to issue some certificates for something I’m working on. It was a pretty vanilla build, just the Certificate Services role, and the Web Enrollment feature.
Solution
I spent a while searching this one down, as you can see (above) it was showing me the root cause of the problem. The page you normally see when you log into the web portal is default.asp, and that file is not in that folder.
1. Open IIS manager and then open the settings for the CertSrv virtual directory. Use the browse button to change the location.
2. Change the location to the sub folder en-US (or if you are in a different locale select your local one). > OK > OK.
3. Restart the web services and try again.</p?
Related Articles, References, Credits, or External Links
When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.
Solution
1. Here you can see your certificate has expired.
2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:
Server Error in Application “SBS WEB APPLICATIONS”
Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here
3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.
4. Select it and follow the on screen prompts > Go and have a coffee.
5. Now you should be able to access the web front end.
6. To get a certificate we need a certificate request, you can write the powershell yourself like so:
[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]
OR simply go here and let the good folk at Digicert do the heavy lifting for you.
7. Now you have the code, generate the request, on the Exchange server > Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.
8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)
9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.
10. “Submit a certificate request by using………..”.
11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.
12. Download the certificate.
13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).
14. Job done, close the browser window.
15. Back at the Exchange Management Shell issue the following command:
It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.
17. That’s the job finished.
SBS2008 Unable to access Certificate Services
I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.
CertSrv The Webpage cannot be found
1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.
2. Select the CertSrv virtual directory.
3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.
Related Articles, References, Credits, or External Links
Cisco PRSM gives you the ability to import certificates into it, but like other Linux distros does not give you the tools to generate the actual certificate request. The documentation tells you to use OpenSSL to this. I was just about to fire up a CentOS box when I remembered I did something similar for VMware 5.5 not so long ago, would the same procedure work here? Yes it did, and it’s a lot easier than growing a ginger ponytail, donning sandals and firing up Linux.
Solution
The following procedure was carried out on Windows Server 2012 R2. I want my certificate to have a common name of prsm.petenetlive.com (change your configs and commands accordingly).
2. Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.
2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.
Don’t worry if it says it cant read the openssl.cnf file
4. If you look in C:OpenSSL-Win32bin directory you will see the CSR (certificate request) has been generated.
5. Open the .csr file with notepad and copy all the text, (this is a request in PEM format). This is what you will give to your CA to request the certificate, copy that to the clipboard.
6. Connect to your Certificate Authority web enrollment portal > Request a certificate.
7. Advanced certificate request.
8. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
9. Paste in the PEM text you copied to the clipboard > Set the certificate template to ‘Web Server’ > Submit.
Note: Your CA may have a different template for web server certificates, if so use that one. If you don’t see web server either it’s not been published, or your user does not have rights to the certificate template.
10. Choose ‘Base 64 encoded’ > Download > Save the cert in the directory you were using earlier (you will see why in a minute) > I give it the same name as the common name on the certificate so I saved it as prsm.petenetlive.com.cer
11. Here it is, but there is still a problem with it, PRSM needs the certificate in x509 format, (it isn’t). But OpenSSL-Win32 can convert it for us.
How to Convert a Windows .cer file to an x509 .crt file
cd C:OpenSSL-Win32bin
openssl x509 -in prsm.petenetlive.com.cer -out prsm.petenetlive.com.crt
[/box]
13. Now it looks better, for PRSM we need this file AND we need the .key file, (not the one that ends in xxx-orig.key!) In the example below I’ve kept everything neat so the other file i need is prsm.petenetlive.com.key, (third one down).
14. Connect to PRSM > Administration > Server Certificates > Browse and select both files.
15. Install and Restart Server.
16. Restart.
17. Refresh your web session and you should now be using the correct certificate.
Related Articles, References, Credits, or External Links
Cisco ISE arms itself with a self generated certificate out of the box, (well the NFR appliance does anyway). To replace that cert with one signed by your own CA, this is the procedure. (Note: I’m using Microsoft Certificate Services on Server 2012 R2).
Solution
Step 1: Import the CA Certificate into ISE
Note: If you have a lot issuing servers it’s a good idea the repeat this procedure for EVERY issuing server you have in your PKI environment. Assuming you have an off-line root that would be every SubCA (to use Microsoft terminology). On my test network I only have one so that’s not a problem.
1. Connect to the web enrollment portal of your Certificate services folder > Download a CA Certificate, certificate chain, or CRL.
9. Again save it somewhere you can find it easily.
10. Open the PEM file you just created, and copy all the text to the clipboard.
11. Back at you web enrollment portal > Request a certificate.
12. Advanced certificate request.
13. Submit a certificate request by using…
14. Paste in your copied text (make sure no spaces get added to the end, this usually happens, be careful) > Set the template to Web Server (of your own template, if you are not using the default one) > Submit.
15. Select DER encoded > Download certificate > Save it with a name that is recognizable as the ISE appliance.
16. On the ISE web portal > Local Certificates > Add > Bind CA Signed Certificate.
17. Browse to the new cert > Select EAP and HTTPS > Submit.
18. Now remember to connect to the ISE appliance using its FQDN (you did remember to create a record in DNS for it didn’t you?)
At this point if you get an error either the URL is wrong, or you didn’t create a DNS record, or the machine you are on does not trust your issuing servers root certificate.</p?
Related Articles, References, Credits, or External Links